An 11-year-old successfully hacked a replica website for the Florida Secretary of State and changed election results in less than 10 minutes during a hacking convention in Las Vegas, according to event organizers.

Credit: DEFCON Voting Village (Twitter)

Nearly 40 hackers from 6 to 17 years old attempted to hack replicate websites in 6 swing states during the DEFCON hacking event on Friday and Saturday.

More than 30 hackers were able to complete an exploit. The quickest exploit was done in under 10 minutes by 11-year-old Emmett Brewer.

The hackers were able to successfully tamper with vote tallies, party names, candidate names, and total vote counts were changed to numbers including “12 billion.” One hacker also changed a candidate’s name to “Bob Da Builder.”

The National Association of Secretaries of State issued a statement that said the group is “ready to work with civic-minded members of the DEFCON community,” however the group also expressed skepticism about the ability for hackers to access the real websites:

“We are also concerned that creating “mock” election office networks and voter registration databases for participants to defend and/or hack is also unrealistic. It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols.”

As hackers sit down to break into dozens of voting machines in Las Vegas this weekend, some state and local election officials that have flown in to witness the spectacle at one of the world’s largest hacking conventions are becoming increasingly concerned about another threat to November’s midterm elections: information warfare.

Organizers of a “voting village” at the annual Def Con hacker convention have packed a conference room at Caesars Palace with voting machines and have asked civically-curious hackers to wreak havoc. The event, now in its second year, is supposed to demonstrate vulnerabilities in America’s vast election infrastructure.

After a few hours on Friday, one hacker was essentially able to turn a voting machine into a jukebox, making it play music and display animations. While such hacks are a cause of concern for election officials, they are increasingly looking beyond the threats against traditional election infrastructure like voting machines and voting databases and more to the threat of disinformation.

What, some of them ask, if they fall victim to a coordinated information warfare campaign?

Recent indictments of Russian nationals by special counsel Robert Mueller allege Russia’s targeting of the Democratic party and the Clinton campaign in 2016 was two-fold. First came the successful penetration of campaign emails, and then a coordinated information warfare campaign that involved the dissemination of the hacked materials through specially-built websites and social media accounts, including DCLeaks, and through other sites like WikiLeaks.

If state election boards were to be targeted in this way, where voter information or voting systems were hacked, and then a coordinated campaign to disseminate or weaponize that information were to follow on social media, it could lead to widespread confusion that could undermine the integrity of an election could ensue, some officials fear.

“Obviously, we look at what happened in 2016 and what we should expect in the future is a two-pronged attack,” says Noah Praetz, the director of elections for Cook County in Illinois.

Praetz says when it comes to the first part of an attack, the targeting of election infrastructure, election officials across the country are taking steps to mitigate against a breach — steps they can take because they are responsible for those systems. But he says when it comes to the second part, the use of hacked material, things get more difficult.

He points out, “what you’ve got, what was clearly a more successful line of attack [in 2016] was this disinformation campaign, and it’s interesting, and it needs to inform what we’re doing, but it’s a really tough place to operate in because we don’t have much, if any, control in there.”

Alex Padilla, California’s secretary of state, told CNN, “There’s always been a concern about the integrity of our elections and there’s always been a concern about misinformation, disinformation being disseminated around campaigns.”

But Padilla, who is the only secretary of state to attend Def Con this year, said the threat of disinformation campaigns has heightened due to social media.

The Belfer Center for Science and International Affairs at the Harvard Kennedy School is briefing election officials on what to do if they are the target of a conventional hack, a disinformation operation, or both. The center is advising officials to establish plans to monitor and, when warranted, respond to misinformation on social media.

Padilla’s office says California is hiring half a dozen cybersecurity communications professionals and others to help mitigate against the risk.

Padilla says his team is in regular contact with the major social media companies, all of which call California home, and is happy with their cooperation so far. But the test, he says, will come if California’s elections come under attack.

Disinformation campaigns could seek to misinform voters in an effort to deter them from casting a ballot. In 2016, the Internet Research Agency, a Kremlin-linked troll group that has since been indicted by special counsel Robert Mueller, targeted Hillary Clinton voters with false information telling them they could vote by text message or online.

But there appears to be growing concern among election officials that the communication of election results could also be vulnerable.

Child’s play

“The biggest threat is who reports the votes and having that hacked,” West Virginia’s secretary of state, Mac Warner, told CNN last month at a cybersecurity training event he organized for local election officials.

Warner said that the way election results are communicated from states to the public need to be particularly protected, and news organizations should be on guard.

In Vegas, Def Con organizers arranged for mock versions of some swing states’ election board websites, where results are posted, to be built to identify potential vulnerabilities.

“Unfortunately, it’s so easy to hack the websites that report election results that we couldn’t do it in this room because [adult hackers] would find it boring,” said Jake Braun, one of the event’s organizers.

So on Friday, almost 40 child hackers between the ages of 6 and 17 were let loose on the mock sites, and most of them were able to tamper with vote tallies, some even changing candidates names to things like “Bob Da Builder” and “Richard Nixon’s Head.”

‘Pseudo environment’

Plans for such provocative demonstrations led the National Association of Secretaries of State (NASS), the group that represents the top state officials in charge of elections, to criticize the Def Con voting village on Thursday.

The mock sites Def Con built for the kids to hack aren’t up to snuff, NASS said.

“It would be extremely difficult to replicate these systems since many states utilize unique networks and custom-built databases with new and updated security protocols,” the group said in a statement.

More generally, NASS is critical of Def Con’s overall approach. Giving hackers unfettered access to voting machines, which allows hackers at the conference to turn the machines into jukeboxes, for instance, is not based on reality.

“Our main concern with the approach taken by DEFCON is that it utilizes a pseudo environment which in no way replicates state election systems, networks or physical security,” NASS said.

But Braun, a former White House official who served as national deputy field director on President Barack Obama’s 2008 presidential campaign, disputed NASS’s assertion, saying it would be possible for hackers to access the machines either physically or virtually.

“It’s not like these machines are kept in Fort Knox,” he said.

Many election machines are what is know as “air-gapped,” meaning they are never connected to the internet. But Braun said that doesn’t mean they can’t be hacked, referencing Stuxnet, a virus that was able to breach Iran’s nuclear system despite them also not being connected to the internet.

The Iranians, Braun explained animatedly, “were developing the bomb and kept their centrifuges in locked concrete vaults buried in the desert in Iran, and, guess what? Hackers were still able to hack into that and blow up the centrifuges pretty much at will. If anybody thinks that hacking this voting equipment is of any less strategic importance to Putin than it was for the people that hacked in to the Iranian nuclear program to do that, then they don’t understand geopolitics.”